Spybot won't restart after reboot

I will skip your comments and return to them after we discuss the logs and see what is left to do.

ewido anti-malware - Scan report Created on: 5:56:32 PM, 5/11/2006You can see all of the CoolWebSearch junk that CWShredder was supposed to remove. Something happened in the way that was run and I am hoping ewido got it all. We will run in again in safe mode to be sure, but it is so obvious you had a bad CWS infection also.
Right at this point it looks like ewido was able to remove what it found. I have links to show you how to control those cookies if you wish. I also have no objections to you editing your name out of the ewido report.

Logfile of HijackThis v1.99.1 Scan saved at 6:22:48 PM, on 5/11/2006 This log appears to be clean of malware:bigthumb: how is this computer running now?
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is going to slow you a little, as will Prefetch until it repopulates. You can turn ewido off now or enjoy the benefits of the realtime protection for the trial period but it does use some resources. This is your call, and you can disable it in services when you wish, then keep and update the scanner if you wish, that is free. My canned:
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Do this now to make sure none of that junk got in your System Restore files.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Now to your comments, for all programs that are running, good or bad, you are going to be prohitbited from changing or deleting by Windows if it is running. Normally just starting in safe mode when the program is not running will do it, sometimes you have to do it as an administrator, and yes we have tools like Killbox and Avenger that can do most anything. Seems to be a moot point as there appears to be no malware in the log.
Understand that HJT is a process manager, and when you remove an item from the HJT log the running process is stopped so you can delete an item. Some are harder than others, but in this case you have done the job.

This is what I would like you to do besides review the information I posted and purge the System Restore files.

1) Restart the computer in safe mode: http://www.bleepingcomputer.com/tutorials/tutorial61.html
Once you are in safe mode. open ewido and do a complete system scan removing anything located unless you know it is not bad. Save the scan report to post.
Empty your recycle bin and restart the computer to normal mode.

2) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

3) Post the ewido scan report (edit out personal names first) the Add Remove program list, and this time I need your comments. How is the computer running, what more do we need to do? Any error messages "word for word". Keep in mind this was one sick computer and we were none to gentle as we ripped some of the nasties out. Now is the time to look at your maintenance routines, scan disk, defragg, etc.

Thanks...Phil
 
Good morning Phil!

Sorry I couldn't finish this up last night...came in this morning though and found that ewido caught some more junk...the computer seems to be running fine with the exception of right after it starts up, before the icons appear on the desktop, the screen goes completely blue, and once the icons come back, they are surrounded by the blue highlighting...

Here are the logs as you requested...

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:52:03 AM, 5/12/2006
+ Report-Checksum: 723C4B8E

+ Scan result:

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001275.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001276.exe -> Hijacker.VB.ly : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001277.exe -> Downloader.VB.abj : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001278.EXE -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001279.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001280.dll:rmpoj -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001280.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001281.exe:zwjaa -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001282.exe:pomvh -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001283.exe:oacun -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001283.exe:qoixz -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001284.dll:chjwp -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001284.dll:ifzde -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001284.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001285.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001286.dll:qocnl -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001286.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001287.ini:kfrfi -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001287.ini:nqoya -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001287.ini:oidbk -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001288.exe:bsjos -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001289.exe:hoqvo -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001289.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001290.ini:mqjuc -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001291.dll -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001292.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001293.ini:grjfk -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001293.ini:zqyiw -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001294.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001295.exe:vgvtm -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001295.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001296.ini:ljpda -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001297.dll:bjtdc -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001297.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001298.exe:rxgfo -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001298.exe:wckvb -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001299.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001300.INI:jqlul -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001300.INI:kignu -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001301.exe:zmybt -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001301.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001302.INI:kqsbd -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001302.INI:svpxr -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001303.ini:hhcwf -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001304.dll:wwuqn -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001305.INI:okrks -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001306.ini:tnaqy -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001307.exe:dhnbw -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001307.exe:ptokh -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001308.ini:przca -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001309.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001310.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001311.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001312.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001313.dll -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001314.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001315.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001316.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001317.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001318.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001319.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001320.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001321.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001322.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001323.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001324.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001325.dll -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001326.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001327.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001328.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001329.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001330.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001331.dll -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001332.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001333.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001334.exe -> Not-A-Virus.RemoteAdmin.Win32.PLSRemot : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001335.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001336.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001337.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001338.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001339.dll -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001340.dll -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001341.dll:zmdcf -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001342.dll:emday -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001343.ini:aegax -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001344.exe:djegt -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001344.exe:msydo -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001345.ini:kumbs -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001346.ini:rutqx -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001347.exe -> Dropper.Agent.aie : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001348.dll:dvhav -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001349.INI:eujym -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001349.INI:rtgfo -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001350.exe:jzxwc -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001351.INI:zfesl -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001352.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001353.ini:tyqne -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001354.prx:uzzfr -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001355.pif:pnjxo -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001356.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001388.exe -> Hijacker.VB.ly : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001389.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End

cont.
 
cont.

Access IBM
Access IBM Message Center
Access IBM Tools
Ad-Aware SE Personal
Adobe Acrobat 6.0 Standard
Adobe Photoshop 7.0
Agere Systems AC'97 Modem
alm
ATI Control Panel
ATI Display Driver
ATI HydraVision
BroadJump Client Foundation
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window DSLR 5 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon IXY 320, PowerShot S230, IXUS v3 WIA Driver
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX (E)
CCleaner (remove only)
Concordance
DWG TrueView
ePAVE
ewido anti-malware
FairUse Wizard 2
Fiery Remote Scan 5.1.2.6
FirstClass® Client
Google Earth
HijackThis 1.99.1
Hotfix for Windows XP (KB909394)
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - Scanners
IBM Access Connections
IBM Access Support
IBM Access Support - Local Content Pack
IBM DLA
IBM Rapid Restore PC Setup
IBM RecordNow
IBM RecordNow Update Manager
IBM Themes
IBM ThinkPad Battery MaxiMiser and Power Management Features
IBM ThinkPad Configuration
IBM ThinkPad EasyEject Utility
IBM ThinkPad Keyboard Customizer Utility
IBM ThinkPad Power Management Driver
IBM ThinkPad Presentation Director
IBM ThinkPad UltraNav Driver
IBM ThinkPad UltraNav Wizard
IBM TrackPoint Accessibility Features
IBM Update Connector
Informatik Docview 10.0
Intel(R) PRO Network Adapters and Drivers
interneTIFF 6.2-PRO (IE Browser-SITE)
InterVideo WinDVD
IPMaster
iTunes
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_04
Kyocera Mita Scanner Driver
LawDesk
LawDesk 5.1
LexisNexis Download and Print for Internet Explorer
LiveUpdate 1.6 (Symantec Corporation)
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft ActiveSync 4.0
Microsoft AntiSpyware
Microsoft Data Access Components KB870669
Microsoft Office Professional Edition 2003
Motorola Handset USB Driver
Mozilla Firefox (1.0.7)
MSN Music Assistant
Napster
Norton AntiVirus Corporate Edition
Opticon
Outlook Express Q837009
PaperPort 8.0
PASAT
PC Master
PC-Doctor for Windows
PCT-SAFE Online Filing
PdaNet for Windows Mobile 1.14
Picsel File Viewer
QuickTime
Roxio Burn Engine
SnagIt 6
Spybot - Search & Destroy 1.4
Support.com Software
ThinkPad FullScreen Magnifier
ThinkPad Software Installer
TPNala Wallpaper
Treo 700w User Guide
tunebite 3.0.0.5
USPTO Direct 6.0
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Installer 3.0 (KB884016)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839643
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) Q819696
WinZip
XPort
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

and I notice that tpnala wallpaper seems odd...

cont...
 
cont.

and just for good measure...

Logfile of HijackThis v1.99.1
Scan saved at 9:04:30 AM, on 5/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [USPTO Direct Recovery] "C:\Program Files\USPTO\etdirrcv.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.cnn.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.cnn.com
O16 - DPF: {26BFFB87-5B07-4611-82BB-AF3947013FDD} (DAPCtl Class) - http://www.lexis.com/dl/IEDAP.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138402863458
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://66.147.8.11/TSWEB/msrdp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.napster.com/client/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scansoft.com/pp/files/np_max.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Aluria Spyware Eliminator Service (ASEService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
 
Good morning and it looks like you ran ewido before you cleaned out the system restore? If you had done that first, those items would not have been there.
If you have not done this, please do it now, I would hate to have to use System Restore as all of that junk would get back on the computer. Here are manual instructions:
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Uninstall list: There are several items I do not know, but nothing jumps out as malware. I encourage you to take the time to uninstall programs you do not know (check first to make sure they are not needed for the computer to run) or no longer use.

Viewpoint Manager (Remove Only)
Viewpoint Media Player
I suggest you remove this item, see this information:
http://www.clickz.com/news/article.php/3561546
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint

This: Java 2 Runtime Environment, SE v1.4.2_04Please review this information and clean out the old Java as suggested:
http://forums.spybot.info/showthread.php?t=2559

Logfile of HijackThis v1.99.1 Scan saved at 9:04:30 AM, on 5/12/2006
(if you do not use these as your startpage, you may remove them with HJT)
O14 - IERESET.INF: START_PAGE_URL=http://www.cnn.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.cnn.com

While I have supplied you with links to freeware programs with great reputations, I suggest you read this information:
http://castlecops.com/r277-Spyware_Eliminator.html This product:
O23 - Service: Aluria Spyware Eliminator Service (ASEService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe (file missing)
has a very poor rating with spyware removers and folks in general. I would not have it on any of my computer...your call.

There are a few items booting at startup that you may not need and could start in All Programs when needed. Look at the O4 - HKLM\..\Run: Items, if you do not know what it is, Google the executable.
Example: O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe <<< Google >>> http://www.liutilities.com/products/wintaskspro/processlibrary/cfd/ since that leaves questions I would ask the ISP...hey can I turn that off to save resources and start it if you need it?
the computer seems to be running fine with the exception of right after it starts up, before the icons appear on the desktop, the screen goes completely blue, and once the icons come back, they are surrounded by the blue highlighting...
Click to expand...
Something in your settings has been changed by one of the malware programs, try these to see what happens:
_________________________________________________________________
http://www.msfn.org/board/lofiversion/index.php/t21581.html
Restore desktop themes
_________________________________________________________________
1. Click Start, and then click Control Panel.
2. Double-click Display, click the Desktop tab, and then click Customize Desktop.
3. Select Restore Defaults
_________________________________________________________________

It could be possible, after reboot that the system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.

Let me have a final report when you can...Thanks
 
THANK YOU!!! I truly appreciate all of your kind assistance with this....I believe that I working back to normal and I definitely have you to thank.

Thanks again!

Kindest Regards,

Neil
 
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me, pskelley or Tashi know.
 
You must log in or register to reply here.
Back
Top